Malicious PDF — malware analysis report

Static analysis result for SHA-256 76043b4d0a1e28b7…

MALICIOUS

PDF

51.2 KB Authoring application: GIMP
MD5: ea58c7b2f0b6905f817604e39233b0d0 SHA-1: a3b723549fc9013f22b6dd1098f3a769eb01024e SHA-256: 76043b4d0a1e28b74197c1f633eab60fa0187f3c7b33883e55923220db3b54fb
252 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for SEO poisoning or phishing lures. The document body instructs the user to 'Run macro in protected excel sheet', indicating a social engineering attempt to bypass security measures. The presence of ML_NYX_PDF_MALICIOUS and ClamAV detections, along with the link farm heuristic, strongly suggests this PDF is designed to download and execute a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://saaqld.com/uploads/1/3/0/5/130588499/5184636.pdf
    • http://misofole.kupidomofon.ru/uploads/2020/01/28/256f203d.pdf
    • http://naturalhand.net/uploads/1/3/0/5/130546759/2548720.pdf
    • http://mytajfashionincorporated.com/uploads/1/3/0/4/130488975/9857761.pdf
    • http://sherylpreston.com/uploads/1/3/0/2/130288557/5237717.pdf
    • http://addictingshopping.com/uploads/1/3/0/6/130605358/kejoxexabate-jinujivew-guzudafunap-pigim.pdf
    • http://sensitivoantonio.it/uploads/1/3/0/4/130477890/647924.pdf
    • http://nugazu.ohotavkarelii.ru/uploads/2020/01/28/bavavipexirugapun.pdf
    • http://debuze.support-accounts.online/uploads/2020/01/28/d0c89b.pdf
    • http://teszeri.com/uploads/1/3/0/6/130621645/9840b72defb.pdf
    • http://northernrailleaders.com/uploads/1/3/0/6/130621051/130621051.html#run+macro+in+protected+excel+sheet

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000153c.bin
65f3a7ab453d1531ca9b4897389f1e66a5537de32d3bb1eff754ed150cad3a08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x153C 8908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.